Foros de discusión
NTLM authentication
Piero Ribichini, modificado hace 13 años.
NTLM authentication
New Member Mensajes: 5 Fecha de incorporación: 7/07/10 Mensajes recientes
Hi,
i'm trying to configure NTML authentication in Liferay 6.0.5 with
Microsoft Active Directory on Windows Server 2008 R2.
During my test i receive the following error:
ERROR [NtlmFilter:214] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:112)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:54)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:70)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:209)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:123)
Configuration parameters seems correct. Computer service account was created and password was assigned.
Is it a configuration issue ?
Thanks, Piero
i'm trying to configure NTML authentication in Liferay 6.0.5 with
Microsoft Active Directory on Windows Server 2008 R2.
During my test i receive the following error:
ERROR [NtlmFilter:214] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:112)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:54)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:70)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:209)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:123)
Configuration parameters seems correct. Computer service account was created and password was assigned.
Is it a configuration issue ?
Thanks, Piero
Marek Gregor, modificado hace 13 años.
RE: NTLM authentication
New Member Mensajes: 2 Fecha de incorporación: 25/11/10 Mensajes recientes
Hello Pietro
We have experienced the same problem without any success. Searching web found that problem can be deeper in jcifs library, which liferay 6.0.5 internally uses for NTLM: http://samba.2283325.n4.nabble.com/JCIFS-and-Windows-2008-R2-with-IE8-td2964420.html
Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok
so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3);
mg.
We have experienced the same problem without any success. Searching web found that problem can be deeper in jcifs library, which liferay 6.0.5 internally uses for NTLM: http://samba.2283325.n4.nabble.com/JCIFS-and-Windows-2008-R2-with-IE8-td2964420.html
Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok
so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3);
mg.
Marek Gregor, modificado hace 13 años.
RE: NTLM authentication
New Member Mensajes: 2 Fecha de incorporación: 25/11/10 Mensajes recientes
Maybe also interesting: http://adtroubleshooting.deuby.com/2010/02/w2k8-r2-ad-upgrade-tip-ntlm-changes.html
Patrice Laramee, modificado hace 13 años.
RE: NTLM authentication
New Member Mensajes: 4 Fecha de incorporación: 25/01/11 Mensajes recientes
Hi,
I had the same issue but I realized it was a configuration error..
Here's what I've done to fix it... The online documentation for NTML authentications is really outdated... It talks about NTLMv1 but in liferay 6+ it's forced to NTLMv2.
Two things to take into consideration:
1- Make sure your PC will support NTLMv2 auth... This can be found in Control Pannel/Local Security Policies/*NTLM* (There's more than one to check, but 'Network Security: LAN Manager authentication level' should be set to 'Send LM & NTLM - use NTLMv2 session security if negociated' (unsecure... I know! It's for legacy Intranet support)
2- Look at the configuration in liferay
Domain Controller: IP to domain controller
DOmain Controller Name: netbios name of the DC
Domain: DOMAIN
Service Account: A computer account
Service Password: (triky to set, you will need a script provided by liferay)
Example call for the following script
C:\liferay\>cscript setcomputerpass.vbs "CN=liferay,OU=computers,,dc=DOMAIN,dc=com"
save it as SetComputerPass.vbs
------------------ CODE ---------------------
Option Explicit
Dim strDn, objPassword, strPassword, objComputer
If WScript.arguments.count <> 1 Then
WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>"
WScript.Quit
End If
strDn = WScript.arguments.item(0)
Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Password:"
strPassword = objPassword.GetPassword()
Set objComputer = GetObject("LDAP://" & strDn)
objComputer.SetPassword strPassword
WScript.Echo
WScript.Echo "Password set on " & strDn
WScript.Quit
------------------ CODE ---------------------
There was a bug in the original script provided by liferay, I had to modify the original script.
Hope it helps!
-Pat
I had the same issue but I realized it was a configuration error..
Here's what I've done to fix it... The online documentation for NTML authentications is really outdated... It talks about NTLMv1 but in liferay 6+ it's forced to NTLMv2.
Two things to take into consideration:
1- Make sure your PC will support NTLMv2 auth... This can be found in Control Pannel/Local Security Policies/*NTLM* (There's more than one to check, but 'Network Security: LAN Manager authentication level' should be set to 'Send LM & NTLM - use NTLMv2 session security if negociated' (unsecure... I know! It's for legacy Intranet support)
2- Look at the configuration in liferay
Domain Controller: IP to domain controller
DOmain Controller Name: netbios name of the DC
Domain: DOMAIN
Service Account: A computer account
Service Password: (triky to set, you will need a script provided by liferay)
Example call for the following script
C:\liferay\>cscript setcomputerpass.vbs "CN=liferay,OU=computers,,dc=DOMAIN,dc=com"
save it as SetComputerPass.vbs
------------------ CODE ---------------------
Option Explicit
Dim strDn, objPassword, strPassword, objComputer
If WScript.arguments.count <> 1 Then
WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>"
WScript.Quit
End If
strDn = WScript.arguments.item(0)
Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Password:"
strPassword = objPassword.GetPassword()
Set objComputer = GetObject("LDAP://" & strDn)
objComputer.SetPassword strPassword
WScript.Echo
WScript.Echo "Password set on " & strDn
WScript.Quit
------------------ CODE ---------------------
There was a bug in the original script provided by liferay, I had to modify the original script.
Hope it helps!
-Pat
Christopher Lui, modificado hace 13 años.
RE: NTLM authentication
Junior Member Mensajes: 39 Fecha de incorporación: 22/03/10 Mensajes recientes
There is a known issue with NTLM authenticating with 2008 R2.
See http://issues.liferay.com/browse/LPS-15380
See http://issues.liferay.com/browse/LPS-15380
Patrice Laramee, modificado hace 13 años.
RE: NTLM authentication
New Member Mensajes: 4 Fecha de incorporación: 25/01/11 Mensajes recientes
Forgot to mention, I was using Windows Server 2003.
Jason Smith, modificado hace 11 años.
RE: NTLM authentication
New Member Mensajes: 17 Fecha de incorporación: 19/04/11 Mensajes recientes
Is liferay 6.1 GA2 supposed to work with NTLMv2 and Microsoft AD 2008 R2?
I read:
http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html
When I got security policy "Send NTLMv2 response only/refuse LM" in Domain Controller, everything works fine.
When I put "Send NTLMv2 response only/refuse LM & NTLM" to Domain Controller, it stops working and IE 9 starts poping up username and password dialog.
Liferay property is set to default:
ntlm.auth.negotiate.flags=0x600FFFFF
Anybody know where is the problem?
By changing the security policy to be more strict, I get the following exception:
16:09:53,111 ERROR [NtlmFilter:235] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:96)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:69)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:230)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
..........
Caused by: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:528)
at jcifs.smb.SmbTransport.send(SmbTransport.java:645)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:322)
at jcifs.smb.SmbSession.send(SmbSession.java:224)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:906)
at jcifs.smb.SmbFile.connect(SmbFile.java:949)
at jcifs.smb.SmbFile.connect0(SmbFile.java:875)
at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:181)
at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:88)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:50)
... 68 more
I read:
http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html
When I got security policy "Send NTLMv2 response only/refuse LM" in Domain Controller, everything works fine.
When I put "Send NTLMv2 response only/refuse LM & NTLM" to Domain Controller, it stops working and IE 9 starts poping up username and password dialog.
Liferay property is set to default:
ntlm.auth.negotiate.flags=0x600FFFFF
Anybody know where is the problem?
By changing the security policy to be more strict, I get the following exception:
16:09:53,111 ERROR [NtlmFilter:235] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:96)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:69)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:230)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
..........
Caused by: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:528)
at jcifs.smb.SmbTransport.send(SmbTransport.java:645)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:322)
at jcifs.smb.SmbSession.send(SmbSession.java:224)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:906)
at jcifs.smb.SmbFile.connect(SmbFile.java:949)
at jcifs.smb.SmbFile.connect0(SmbFile.java:875)
at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:181)
at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:88)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:50)
... 68 more
Jason Smith, modificado hace 11 años.
RE: NTLM authentication
New Member Mensajes: 17 Fecha de incorporación: 19/04/11 Mensajes recientes
It seems to me, even though I'm trying to use NTLMv2, its still using NTLMv1.
Or am I wrong?
Or am I wrong?
Domingo Martinez, modificado hace 9 años.
RE: NTLM authentication
New Member Mensajes: 8 Fecha de incorporación: 29/01/15 Mensajes recientes
Hi,
Me too I´m trying configure NTML authentication in Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014) with
Microsoft Active Directory on Windows Server 2008 R2. This set "Send MTLMv2 response only" as netword security lan manager autentification level.
And received the exeption "Session key negotiation failed", how make to avoid this problem?,
Thanks,
Me too I´m trying configure NTML authentication in Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014) with
Microsoft Active Directory on Windows Server 2008 R2. This set "Send MTLMv2 response only" as netword security lan manager autentification level.
And received the exeption "Session key negotiation failed", how make to avoid this problem?,
Thanks,
Chris Börgermann, modificado hace 9 años.
RE: NTLM authentication
New Member Mensajes: 8 Fecha de incorporación: 3/09/13 Mensajes recientes
Same problem here.
We had the opportunity to use a workaround by updating the local security policy.
1. Click Start, in the Start Search box enter “gpedit.msc”
2. Navigate to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.
3. In the right pane, find "Network Security: LAN Manager Authentication Level" and double-click it.
4. Change the setting from "Send NTMLv2 response only" to "Send LM & NTLM - use NTLMv2 session if negotiated"
But I am still searching for the "correct" way.
We had the opportunity to use a workaround by updating the local security policy.
1. Click Start, in the Start Search box enter “gpedit.msc”
2. Navigate to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.
3. In the right pane, find "Network Security: LAN Manager Authentication Level" and double-click it.
4. Change the setting from "Send NTMLv2 response only" to "Send LM & NTLM - use NTLMv2 session if negotiated"
But I am still searching for the "correct" way.
Domingo Martinez, modificado hace 9 años.
RE: NTLM authentication
New Member Mensajes: 8 Fecha de incorporación: 29/01/15 Mensajes recientes
Hi Crist,
I solved it by the way you said, seted this value in the client side and work fine the autentication with NTLM.
Thanks a lot for your advise,
I solved it by the way you said, seted this value in the client side and work fine the autentication with NTLM.
Thanks a lot for your advise,
Silvio Meier, modificado hace 8 años.
RE: NTLM authentication
New Member Mensajes: 8 Fecha de incorporación: 6/05/14 Mensajes recientes
Hi Chris and Domingo
we also had this problem at our company using LR 6.2. Our configuration only worked with the client-side setting Send LM & NTLM - use NTLMv2 session security if negociated on our client systems. In contrast, the setting Send NTLMv2 response only/refuse LM & NTLM or Send NTLMv2 response only/refuse LM was not successful. This indicates that NTLMv1 is used instead of NTLMv2 and this is not recommended.
When configuring NTLMv2, we encountered two possible pitfalls with respect to the configuration settings of ntlm.auth.domain.controller.name and ntlm.auth.domain in portal-ext.properties file or the corresponding fields in the control panel UI of Liferay.
1. Pitfall
The controller name must be specified either as IP addresss or as *netbios name*. The netbios name of the ntlm.auth.domain.controller.name must be written without a trailing dollar sign ($), which is sometimes used for net bios names of computers. If not specifying a proper netbios name, you will probably get the exception com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed. Ask the system administrator of your domain controller in order to get the netbios name. Example for the controller name setting:
ntlm.auth.domain.controller.name=MYCONTROLLER
2. Pitfall
The problem described above is probably caused by the setting ntlm.auth.domain which *must* be the netbios name of the domain. Example:
If you set an improper net bios name, for example, if you set the internet DNS name of the domain, the client settings Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM do not work! The only setting that is working is Send LM & NTLM - use NTLMv2 session security if negociated or any setting that is weaker.
I assume that this is because only NTLMv2 uses the netbios name controller but not NTLMv1. So if the netbios name of the controller is found to be wrong while trying to use NTLMv2, NTLMv1 is used as fallback. If this is not possible because the security restrictions are set to Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM, an exception occurs com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password.
In order to retrieve the proper netbios name of the domain, open a comand line (cmd.exe) with a user that is member of that domain. Then enter the command in the command line
Look in the output for the variable USERDOMAIN. As a site-note: the variable USERDNSDOMAIN contains the internet domain name of the domain which is also shown by System Control Panel --> System in the Windows settings. This could look something like that:
Use the value of the variable USERDOMAIN as value for ntlm.auth.domain. After doing so, we could set Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM (or just leave the default settings of Windows 7+) on the clients and it worked without any problems for LR 6.2!
I think the pitfalls described above are caused because the use of the netbios names is not obvious from the official Liferay documentation https://www.liferay.com/de/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. For retrieving the domain (Pitfall 2), Microsoft documentation instructs you to use the domain name from the System Control Center --> System for newer Windows versions, which is the internet domain name (cf. variable USERDNSDOMAIN above) of the domain and not the netbios name. This is maybe the root of the problem.
Maybe it helps for solving your issues.
Silvio
we also had this problem at our company using LR 6.2. Our configuration only worked with the client-side setting Send LM & NTLM - use NTLMv2 session security if negociated on our client systems. In contrast, the setting Send NTLMv2 response only/refuse LM & NTLM or Send NTLMv2 response only/refuse LM was not successful. This indicates that NTLMv1 is used instead of NTLMv2 and this is not recommended.
When configuring NTLMv2, we encountered two possible pitfalls with respect to the configuration settings of ntlm.auth.domain.controller.name and ntlm.auth.domain in portal-ext.properties file or the corresponding fields in the control panel UI of Liferay.
1. Pitfall
The controller name must be specified either as IP addresss or as *netbios name*. The netbios name of the ntlm.auth.domain.controller.name must be written without a trailing dollar sign ($), which is sometimes used for net bios names of computers. If not specifying a proper netbios name, you will probably get the exception com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed. Ask the system administrator of your domain controller in order to get the netbios name. Example for the controller name setting:
ntlm.auth.domain.controller.name=MYCONTROLLER
2. Pitfall
The problem described above is probably caused by the setting ntlm.auth.domain which *must* be the netbios name of the domain. Example:
ntlm.auth.domain=MYDOMAINIf you set an improper net bios name, for example, if you set the internet DNS name of the domain, the client settings Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM do not work! The only setting that is working is Send LM & NTLM - use NTLMv2 session security if negociated or any setting that is weaker.
I assume that this is because only NTLMv2 uses the netbios name controller but not NTLMv1. So if the netbios name of the controller is found to be wrong while trying to use NTLMv2, NTLMv1 is used as fallback. If this is not possible because the security restrictions are set to Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM, an exception occurs com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password.
In order to retrieve the proper netbios name of the domain, open a comand line (cmd.exe) with a user that is member of that domain. Then enter the command in the command line
SETLook in the output for the variable USERDOMAIN. As a site-note: the variable USERDNSDOMAIN contains the internet domain name of the domain which is also shown by System Control Panel --> System in the Windows settings. This could look something like that:
...
USERDNSDOMAIN=MYDOMAIN.EXAMPLE.COM
USERDOMAIN=MYDOMAIN
...
Use the value of the variable USERDOMAIN as value for ntlm.auth.domain. After doing so, we could set Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM (or just leave the default settings of Windows 7+) on the clients and it worked without any problems for LR 6.2!
I think the pitfalls described above are caused because the use of the netbios names is not obvious from the official Liferay documentation https://www.liferay.com/de/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. For retrieving the domain (Pitfall 2), Microsoft documentation instructs you to use the domain name from the System Control Center --> System for newer Windows versions, which is the internet domain name (cf. variable USERDNSDOMAIN above) of the domain and not the netbios name. This is maybe the root of the problem.
Maybe it helps for solving your issues.
Silvio
NGHE KIEN, modificado hace 8 años.
RE: NTLM authentication
New Member Mensajes: 2 Fecha de incorporación: 22/01/16 Mensajes recientes
Hi Silvio Meier,
I did the same steps that you mention but I always got the error
com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed
My environments:
Liferay CE 6.2
Windows Server 2008
domain: test.org
NetBIOS: TEST
Computer acct: LIFERAY$@TEST.ORG
Password: password
connection with LDAP works fine
I have tried with all options for LAN Manager authentication level on Client PC, but still the same error...
Thank in advance for helping
I did the same steps that you mention but I always got the error
com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed
My environments:
Liferay CE 6.2
Windows Server 2008
domain: test.org
NetBIOS: TEST
Computer acct: LIFERAY$@TEST.ORG
Password: password
connection with LDAP works fine
I have tried with all options for LAN Manager authentication level on Client PC, but still the same error...
Thank in advance for helping
Parveen Kumar, modificado hace 6 años.
RE: NTLM authentication
New Member Mensaje: 1 Fecha de incorporación: 19/03/18 Mensajes recientes
Thanks a lot ! Sir...
It is really helpful.
God Bless you.
It is really helpful.
God Bless you.
Roshan Qureshi, modificado hace 5 años.
RE: NTLM authentication
Regular Member Mensajes: 159 Fecha de incorporación: 24/08/10 Mensajes recientesChristopher LuiThere is a known issue with NTLM authenticating with 2008 R2.
See http://issues.liferay.com/browse/LPS-15380
I see this issue. It is fixed for EE as per the resolution there.
Is there any patch for CE ?
Thanks.
Roshan Qureshi, modificado hace 5 años.
RE: NTLM authentication
Regular Member Mensajes: 159 Fecha de incorporación: 24/08/10 Mensajes recientesChristopher LuiThere is a known issue with NTLM authenticating with 2008 R2.
See http://issues.liferay.com/browse/LPS-15380
Is it still issue with Liferay CE ga7. As per the link above it was fixed for EE. No mention of CE is there.
Is there any way to confirm whether it is fixed for CE as well or not?
Thanks
Christoph Rabel, modificado hace 5 años.
RE: NTLM authentication
Liferay Legend Mensajes: 1554 Fecha de incorporación: 24/09/09 Mensajes recientes
That issue is ancient and it doesn't seem to have anything to do with your problem.
In general:
If an issue is fixed in EE, it is also fixed in CE. But there are no patches for CE. So, all CE releases before 6.0.12 EE are affected by the problem. All releases since 6.1 CE should not be affected by that issue anymore.
While it is in general true, that all fixes are applied to CE too, please note:
There is also a gap between the "packaging" date of CE and the release date. So, when an issue is fixed on March 5 and the CE is released on March 10, you can be quite sure that that fix is not included. The CE release was branched much earlier and very recent fixes usually are not included (except for really important/breaking ones).
In general:
If an issue is fixed in EE, it is also fixed in CE. But there are no patches for CE. So, all CE releases before 6.0.12 EE are affected by the problem. All releases since 6.1 CE should not be affected by that issue anymore.
While it is in general true, that all fixes are applied to CE too, please note:
There is also a gap between the "packaging" date of CE and the release date. So, when an issue is fixed on March 5 and the CE is released on March 10, you can be quite sure that that fix is not included. The CE release was branched much earlier and very recent fixes usually are not included (except for really important/breaking ones).
Roshan Qureshi, modificado hace 5 años.
RE: NTLM authentication
Regular Member Mensajes: 159 Fecha de incorporación: 24/08/10 Mensajes recientes
Hello,
I have tried all suggestions in above thread but still getting below exception. Appreciate help from experts on NTLM.
Environment : LIFERAY 7 GA7 CE + WINDOWS SERVER 2012
ERROR [ajp-nio-8009-exec-9][NtlmFilter:298] Unable to perform NTLM authentication
com.liferay.portal.security.sso.ntlm.internal.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.sso.ntlm.internal.Netlogon.logon(Netlogon.java:115) at com.liferay.portal.security.sso.ntlm.internal.NtlmManager.authenticate(NtlmManager. java:74) at com.liferay.portal.security.sso.ntlm.internal.servlet.filter.NtlmFilter.processFilt er(NtlmFilter.java:294) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilte r(MonitoringFilter.java:181) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:3 94) at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRew riteFilter.java:65) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFil ter.java:100) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterC hain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.jav a:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:5 02) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.jav a:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtoc ol.java:672) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)Caused by: jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/<domain IP>_jcifs.util.tra nsport.TransportException: Connection timeout_ at jcifs.util.transport.Transport.connect(Tran sport.java:174)_ at jcifs.smb.SmbTransport.connect(SmbTransport.java:307)_ at jcifs.smb.SmbTree.treeConnect(SmbTree.java:156)_ at jcifs.smb.SmbFile.doConnect(SmbFile.java:91 1)_ at jcifs.smb.SmbFile.connect(SmbFile.java:954)_ at jcifs.smb.SmbFile.connect0(SmbFile. java:880)_ at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)_ at jci fs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)_ at jci fs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)_ at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)_ at jcifs.dcerpc.DcerpcHandle.sendrecv( DcerpcHandle.java:190)_ at
Thanks.
I have tried all suggestions in above thread but still getting below exception. Appreciate help from experts on NTLM.
Environment : LIFERAY 7 GA7 CE + WINDOWS SERVER 2012
ERROR [ajp-nio-8009-exec-9][NtlmFilter:298] Unable to perform NTLM authentication
com.liferay.portal.security.sso.ntlm.internal.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.sso.ntlm.internal.Netlogon.logon(Netlogon.java:115) at com.liferay.portal.security.sso.ntlm.internal.NtlmManager.authenticate(NtlmManager. java:74) at com.liferay.portal.security.sso.ntlm.internal.servlet.filter.NtlmFilter.processFilt er(NtlmFilter.java:294) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilte r(MonitoringFilter.java:181) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:3 94) at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRew riteFilter.java:65) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFil ter.java:100) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterC hain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.jav a:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:5 02) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.jav a:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtoc ol.java:672) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)Caused by: jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/<domain IP>_jcifs.util.tra nsport.TransportException: Connection timeout_ at jcifs.util.transport.Transport.connect(Tran sport.java:174)_ at jcifs.smb.SmbTransport.connect(SmbTransport.java:307)_ at jcifs.smb.SmbTree.treeConnect(SmbTree.java:156)_ at jcifs.smb.SmbFile.doConnect(SmbFile.java:91 1)_ at jcifs.smb.SmbFile.connect(SmbFile.java:954)_ at jcifs.smb.SmbFile.connect0(SmbFile. java:880)_ at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)_ at jci fs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)_ at jci fs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)_ at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)_ at jcifs.dcerpc.DcerpcHandle.sendrecv( DcerpcHandle.java:190)_ at
Thanks.
Christoph Rabel, modificado hace 5 años.
RE: NTLM authentication
Liferay Legend Mensajes: 1554 Fecha de incorporación: 24/09/09 Mensajes recientes
When looking at execption, the "Caused by" block is usually quite important. It says there:
Failed to connect: 0.0.0.0<00>/172.16.201.65
Looks like a network issue.
I guess, 172.16.201.65 is the IP of your domain controller. Correct?
Please check, from the server where Liferay is installed:
Is it reachable? Can you ping it?
Failed to connect: 0.0.0.0<00>/172.16.201.65
Looks like a network issue.
I guess, 172.16.201.65 is the IP of your domain controller. Correct?
Please check, from the server where Liferay is installed:
Is it reachable? Can you ping it?
Roshan Qureshi, modificado hace 5 años.
RE: NTLM authentication
Regular Member Mensajes: 159 Fecha de incorporación: 24/08/10 Mensajes recientes
Thanks for quick reply.
We checked everything and we are able to ping the controller IP but NOT ABLE TO telnet CONTROLLER (domain) on port 389. Is it required?
Also - Do you know what does the meaning of Heading zeros in the logs :
"Failed to connect: 0.0.0.0<00>/domain IP"
Thread - https://community.liferay.com/forums/-/message_boards/message/112819703 says
" Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok
so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3); "
Appreciate your help.
We checked everything and we are able to ping the controller IP but NOT ABLE TO telnet CONTROLLER (domain) on port 389. Is it required?
Also - Do you know what does the meaning of Heading zeros in the logs :
"Failed to connect: 0.0.0.0<00>/domain IP"
Thread - https://community.liferay.com/forums/-/message_boards/message/112819703 says
" Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok
so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3); "
Appreciate your help.
Karthik Nainupatruni, modificado hace 4 años.
RE: NTLM authentication
Junior Member Mensajes: 28 Fecha de incorporación: 5/05/15 Mensajes recientes
Hi
Anyone has worked onNTLMFilters in liferay 7 , to make it work for chrome browser?
Anyone has worked onNTLMFilters in liferay 7 , to make it work for chrome browser?
Christoph Rabel, modificado hace 4 años.
RE: NTLM authentication
Liferay Legend Mensajes: 1554 Fecha de incorporación: 24/09/09 Mensajes recientes
Well, to give you an honest answer:
I usually don't bother creating an ext plugin (I actutally don't know anymore how to do that in 7.x) and just fetch the NTLMFilter.java file from github, change the code, build it and replace that class in the original war file. Since there are very seldom changes to that class, that works pretty well. Of course, you would need to do that for every upgrade, so it could be a bit of a pain in the ....
This is one of the BUGS (yes, I consider this a bug, not a feature) that annoys me to no end since there is no real nice way to work around it.
I usually don't bother creating an ext plugin (I actutally don't know anymore how to do that in 7.x) and just fetch the NTLMFilter.java file from github, change the code, build it and replace that class in the original war file. Since there are very seldom changes to that class, that works pretty well. Of course, you would need to do that for every upgrade, so it could be a bit of a pain in the ....
This is one of the BUGS (yes, I consider this a bug, not a feature) that annoys me to no end since there is no real nice way to work around it.
Karthik Nainupatruni, modificado hace 4 años.
RE: NTLM authentication
Junior Member Mensajes: 28 Fecha de incorporación: 5/05/15 Mensajes recientes
Thanks for the reply,
i have commented the Browsersniffer code as mentioned above , it is working fine in liferay 7.2 .1 ga2 by customizing the core portal-security-sso-ntlm-impl module
i have commented the Browsersniffer code as mentioned above , it is working fine in liferay 7.2 .1 ga2 by customizing the core portal-security-sso-ntlm-impl module